Stan Hoeppner put forth on 1/22/2010 1:28 AM: > I've wondered for a couple of months why my rbl check is being skipped. I've > not seen a spamhaus entry in my logs since Sept 25 '09. Interestingly, > postgrey > is being called now and then, and it is after the rbl check in main.cf. Any > idea why my rbl check is being skipped? What have I screwed up to cause this?
Bad form replying to my own post but... After a hint from Ralf, I started digging around and here is what I found: 1. Spamhaus has banned Google Public DNS resolver queries. I didn't know this until today. If Postfix is using Google Public DNS resolvers, rbl queries to zen.spamhaus.org fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about it. Not the query attempt, not the failure, zilch, nut'n. This explains why I haven't seen any zen entries in my log since Sept 25 last year, apparently the day I switched to Google DNS resolvers. A total lack of log entries makes troubleshooting anything very difficult. Thanks to Ralf's off list suggestion, I was able to start troubleshooting down the correct path. 2. For other dns resolvers that Spamhaus doesn't like, such as a few under the CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such as: Jan 22 05:27:53 greer postfix/smtpd[19251]: warning: 50.211.118.82.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=50.211.118.82.zen.spamhaus.org type=A: Host not found, try again 3. Sometime between my switch to the Google resolvers and today, Spamhaus decided to ban my previous Embarq resolvers. So, when I switched back to the old ones, I got errors like that above, and my zen queries still failed. I dug around through some very old paperwork and found a set of old Sprint resolvers in Kansas City I'd never actually used which aren't banned by Spamhaus. Turns out this is probably a good thing since the resolvers I found that work are also closest physically and electrically, the primary being 4 hops and 35ms away, the secondary 7 hops and 40ms away. I'm glad I got this solved. I really wish that when I was using the Google resolvers that Postfix would have been logging some kind of errors. If it had, I'd have known I had a real problem much sooner. The total lack of log entries for ~3 months is what finally jolted me to look into this. This is a sad state of affairs. So the question at this point is, why didn't Postfix log any errors when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned? -- Stan
